CVE-2026-44899

Name of the Vulnerable Software and Affected Versions mistune (affected versions not specified)

Description The Image directive plugin fails to properly validate the :width: and :height: options. The validation uses a regular expression that only checks if the value starts with a digit, rather than ensuring the entire string is a valid number. When a value is not a plain integer, it is inserted directly into a style attribute without escaping.

This allows an attacker to inject arbitrary CSS properties by providing a value that begins with digits followed by malicious CSS. For example, using the :width: parameter, an attacker can inject properties such as position:fixed, background-color, and z-index to create a full-page phishing overlay or perform UI redressing attacks, effectively covering the entire browser viewport and concealing legitimate page content.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.